I'm not sure I have quite enough info from your post to give a really solid answer, but I'll give a few thoughts here and we can whittle those down. First, let me explain a bit about how I think I might do that. The app can be sent to universal forwarders, and in fact is really intended to be. So, at a basic level it's certainly possible to set up a forwarder on each subnet and push the app to it. At that point, the reported "host" value would be that of the forwarder, so each subnet would theoretically be represented by a single host/scan point, and you would filter for that (i.e. in the "Host Overview" page you could enter host=scan_point1, etc). The benefit there is that you'd get very fast scans because they'd all be running in parallel. Of course, that may not be possible for any number of reasons, so you could also choose to (as you mentioned in your post) manually set the host value for the various inputs, even without having different hosts actually performing the scans.
There's also an existing "lookup" in the app (in $SPLUNK_HOME/lookups/geoip_internal.csv.example), which can be configured to associate a CIDR range with a city, latitude, and longitude. The use of that lookup isn't pervasive in the app at this point -- it's really just used on the GeoMap view -- but you could certainly configure it as an automatic lookup and doing so would allow you to filter by the "city" value (doesn't really even need to be the name of a city, but could be just an arbitrary location name, and you could even modify the lookup from "city" to "location"). The benefit there is that taking the time to setup latitude and longitude will allow you to use the map to view the various locations by the up/down status, etc. The "Host Overview" page would then allow you to filter for "city=scan_point1", etc, as well. You could also just set up your own automatic lookup outside of the one mentioned in order to add your own label field to groups.
I think that it would be ideal to actually implement both of those, getting the best granularity possible with the "host" field by having multiple scan points, and then to also use an automatic lookup to add additional criteria.
... View more